I'm assuming that it returns a URL to a private file, and that to access it, the user must have an authorised browser session. Is this correct?

Although I'm also thinking that the user may configure permissions certain areas (root folders, any folders?) or even individual files to be public. Is this the case, and if so is this catered for within RS.js?

I haven't looked at the server spec yet, so if it is all in there let me know and I'll go read! I just had a few minutes to begin looking at this but have to stop now so posting in case there's a quick answer. Thanks.

I'm assuming that it returns a URL to a private file, and that to access it, the user must have an authorised browser session. Is this correct?

It returns whatever the full URL of the item is. That is: storage base URL + item URL relative to storage root. For example if you request the item URL of foo-item using a BaseClient that is scoped to the category foo-category, then your URL will look something like https://mystorageprovider.com/foo-category/foo-item.

happybeing:

Although I'm also thinking that the user may configure permissions certain areas (root folders, any folders?) or even individual files to be public. Is this the case, and if so is this catered for within RS.js?

Only items in the special public/ directory are public. Every item is publicly accessible, but folder listings are not. A remoteStorage permissions scope is valid for both the private and public path of a category. For example if you have RW access to foo-category, you can read and write in both /foo-category/ as well as /public/foo-category/.

happybeing:

I haven't looked at the server spec yet, so if it is all in there let me know and I'll go read!